700,000 WordPress Sites Affected By Zero-day Vulnerability in File Manager Plugin

Yesterday a zero-day vulnerability was discovered in a popular WordPress plugin, File Manager. The vulnerability allows arbitrary file upload and remote code execution.

File Manager plugin is a useful plugin that allows users to browse site files in an easy way. The plugin has over 700,000 active installations that make it a desired target for attackers.

Yesterday the vulnerability was discovered by Seravo as part of their WordPress upkeep service. They noticed unusual activity on several of their customers’ websites and further investigation revealed the severe vulnerability in the File Manager plugin.

Zero-day Arbitrary file upload & Remote code execution

The way these vulnerability works is because of the execution of connector.minimal.php file. This file loads another file lib/php/elFinderConnector.class.php that can read post/get variables that can execute File Manager features like file uploading.

Since the PHP scripts are allowed to be executed, an attacker can upload unauthenticated arbitrary PHP files and execute them.

Upgrade plugin to version 6.9

The plugin’s team was informed about the vulnerability and they released the patched version 6.9. Any website using wp-file-manager 6.8 or below, upgrade to the version as soon as possible.

The vulnerability is being exploited in the wild. If you are the plugin’s user and have upgraded to the patched version, you should still scan the website for any malicious website that could have been uploaded by a malicious user.